What is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations called?

This question tests anomaly-based detection. It builds a baseline of what normal activity looks like—covering network traffic patterns, user behavior, or system events—and continuously compares current observations to that baseline. When activity deviates in meaningful ways, it flags the event as suspicious. This approach is especially good at catching new or evolving threats that don’t have predefined signatures, because it focuses on unusual behavior rather than known patterns. However, it can yield false positives if the baseline isn’t accurately representative or if normal changes aren’t properly accounted for, so tuning and context are important. The other options describe different concepts. Stateful protocol analysis looks at the sequence and state of protocol communications to determine whether traffic adheres to expected protocol behavior, rather than comparing to a normal-activity baseline. SSL and IPsec are security protocols used to protect data in transit through encryption and secure channels rather than methods for detecting anomalous activity.